PatchSiren cyber security CVE debrief

CVE-2026-45631 Dokploy CVE debrief

CVE-2026-45631 is a critical authentication bypass vulnerability in Dokploy, a self-hostable Platform as a Service (PaaS), affecting versions 0.27.0 through 0.29.2. The vulnerability stems from a hardcoded fallback value for the BETTER_AUTH_SECRET configuration parameter (set to 'better-auth-secret-123456789'), which allows unauthenticated attackers to forge valid email verification JWTs. Successful exploitation enables complete administrative takeover through auto-sign-in functionality, subsequently granting access to the built-in SSH terminal for arbitrary command execution on the host system. The CVSS 3.1 score of 10.0 reflects the network attack vector, low complexity, no privileges required, no user interaction, and critical impacts across confidentiality, integrity, and availability with scope change. This vulnerability was published to the NVD on 2026-05-29 and carries CWE-798 (Use of Hard-coded Credentials) classification.

Vendor: Dokploy
Product: Unknown
CVSS: CRITICAL 10
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations and individuals running self-hosted Dokploy instances versions 0.27.0 through 0.29.2, particularly those with internet-exposed management interfaces. DevOps teams, platform engineers, and security operations centers responsible for PaaS infrastructure should prioritize this remediation due to the trivial exploitability and complete system compromise potential.

Technical summary

The vulnerability exists in Dokploy's authentication implementation using Better Auth. When the BETTER_AUTH_SECRET environment variable is not explicitly configured, the application falls back to a hardcoded default value ('better-auth-secret-123456789'). This secret is used to sign and verify JWT tokens for email verification flows. An attacker with knowledge of this default secret can craft valid JWTs that pass signature verification, triggering automatic sign-in as an administrative user. Once authenticated as admin, the attacker gains access to Dokploy's built-in SSH terminal feature, which executes commands directly on the underlying host system with the privileges of the Dokploy process. The attack chain requires no prior authentication, no user interaction, and can be executed remotely over the network. The fix in version 0.29.3 removes the hardcoded fallback and requires explicit secret configuration.

Defensive priority

CRITICAL

Recommended defensive actions

Immediately upgrade Dokploy to version 0.29.3 or later to remediate the hardcoded credential vulnerability
Verify that the BETTER_AUTH_SECRET environment variable is explicitly set to a cryptographically secure random value of at least 32 bytes, not relying on any fallback defaults
Rotate all existing authentication tokens and session credentials following the upgrade
Review access logs for suspicious administrative logins or SSH terminal usage prior to patching
If immediate patching is not feasible, restrict network access to Dokploy management interfaces to trusted administrative hosts only
Audit host systems for unauthorized command execution or persistence mechanisms if compromise is suspected

Evidence notes

Evidence sources include the official CVE record, NVD entry, GitHub Security Advisory, and associated pull request. The hardcoded secret value and affected version range (0.27.0 to before 0.29.3) are confirmed through these official channels.

Official resources

The vulnerability was disclosed via GitHub Security Advisory GHSA-w3gm-rc4p-9rhj and documented in GitHub pull request #4374. The NVD record was published on 2026-05-29T18:17:11.243Z and last modified on 2026-05-29T20:25:00.760Z.